Tuesday, September 12, 2006

Did SoftScan, Sophos and Panda rip off my blog? (Update: SoftScan and Sophos says 'no')

This morning I saw a news article about subliminal spam messages on ZDNet. I was intrigued to read about it because a few days ago Nick FitzGerald wrote to me with an example spam that he dubbed 'subliminal'. I wrote back and told him I was going to blog about it and he said go ahead.

The blog post is Subliminal advertising in spam? and was posted on Monday, September 4, 2006. That same day Slashdot picked up my blog post here. Later it was also picked up by Digg.

So I was a little surprised that the ZDNet article didn't mention Nick, me, my blog, Slashdot, or Digg. In fact, the article contains a link to Panda's press release on the subject: PandaLabs detects a new spam technique in which they state "PandaLabs has detected a spam message that uses subliminal advertising techniques.". No mention of this blog anywhere there either, but there are two images of such a spam, both of which I believe were lifted directly from my blog without attribution. The press release is dated the day after my post/Slashdot headline: Tuesday, September 5, 2006.

Here are the images side by side for comparison


Image from my blog post


Image from Panda's press release (local archive of the image)

And I named my image sub2.gif when I extracted it from the spam, and Panda named the same image sub2.gif. The MD5 checksum of my image is 9cace353b2d8b2db1d8868c07986f768 and the Panda image has the checksum 9cace353b2d8b2db1d8868c07986f768. And I also thought the original was a bit large for my blog so I reduced it from 603x451 to 302x226, the Panda image has the same reduced dimension. Hmm. Exactly the same image.

The other image in the press release is also, I believe, from my blog:


Image from my blog post


Image from Panda's press release (local archive of the image)

Once again, I named my image sub3.gif when I extracted it from the spam, and Panda named the same image sub3.gif. The MD5 checksum of my image is 6e16df2d3b67a7578ca7b09f0ccb9fc1 and the Panda image has the checksum 6e16df2d3b67a7578ca7b09f0ccb9fc1. Again I thought the original was a bit large for my blog so I reduced it from 603x451 to 302x226, the Panda image has the same reduced dimension. Hmm. Exactly the same image, again.

So it looks a lot to me like Panda heard about my blog post (perhaps through Slashdot) and then passed Nick's example off as their own research. Of course, it's possible that Panda the day after my blog post, independently found the same thing, named it subliminal spam, named the frames within the gif the same thing as me, extracted them from exactly the same spam image (which they managed to capture even though spammers are adding random noise so that hashing is impossible) and issued their press release.

On Wednesday, September 6, 2006 (two days after my blog post/Slashdot headline) Sophos put out a press release Spammers use subliminal messages in latest pump-and-dump scams in which they state: "Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have identified a "pump-and-dump" stock spam campaign which uses an animated graphic to display a "subliminal" message to potential investors."

Once again the release doesn't mention me, Nick, this blog, Slashdot, Digg, ... It too includes an image that appears to be from the same spam campaign I was blogging about (a pump and dump for the stock TMXO), but there's no image borrowing here. The image is from the same campaign but different, and they no doubt didn't borrow any images from me.

Clearly, Sophos could have seen the same spam campaign as Nick and I and come to the same conclusion and called it 'subliminal' spam.

On Thursday, September 7, 2006 it appears that SoftScan got into the game too. They are mentioned in this article where it's written: "SoftScan's analysis of the latest pump-and-dump scam has discovered that an image appears for a split second every so often in the email with the word 'buy' repeated several times."

Disclaimer: I can't prove that any of these companies saw my blog post on Slashdot and then issued press releases, but the timing is interesting: my blog post comes first followed by press releases and articles using either the same image, the same campaign and all calling it 'subliminal spam'. Perhaps 'subliminal' spam was an obvious name, and I'm crazy, but...

An offer: on the other hand, if any company would like free reign to pass off things on my blog as their own work I have a simple offer for you: give me a small stock option in your company, call me a 'technical advisor' or similar, and feel free to take what you want from here.

UPDATE: SoftScan's Corporate Communications Manager Bo Engelbrechtsen comments below (see comments section) that they independently found this, and had never heard of this blog before.

UPDATE: In a private email a Sophos employee I know well says: "I personally alerted Sophos's PR team about this spammer trick [...] The word "subliminal" was the first thing that came to my mind when I saw it. [...] I don't read John's blog and am very disappointed with this insinuation. We receive millions of spam e-mails to our traps every day, many of which get analyzed and looked at by spam analysts around the world. We don't need to steal someone else's story..."

Labels:

20 Comments:

Anonymous Bo Engelbrechtsen said...

John,

Just to clarify: SoftScan did not rip off your blog.

In fact, until you put SoftScan in your headline (and our news crawlers found it) I didn’t know it existed.

When spam is sent – it is usually sent millions at a time. That means that when you received it – chances are that a lot of other people and companies around the world also did and noticed the subliminal message. The reason why we call it subliminal message is in fact that that was what it was called when it was first introduced in the 50’s cinemas. (Do a Google search on ‘product placement’)

What you will also see is that the images sent to the media by SoftScan differ from the ones mentioned in this blogpost. The spam we used even promotes a different stock and the BUY image is also different. I can send you the original spam email if you are interested in looking further into this.

So, in short, SoftScan did not rip this story. We did our own research and published a press release based on spam mails we stopped.

Please do not hesitate to contact me directly if you have any further questions.

Best regards,


Bo Engelbrechtsen
Corporate Communications Manager
SoftScan
be (at) softscan.dk

12:23 PM  
Blogger John Graham-Cumming said...

Thanks for writing Bo. I've updated the original story to point people to your comment so that they are aware of your independent discovery and naming of this.

John.

12:39 PM  
Anonymous Anonymous said...

Yeah, good job you managed to resize the images to exactly the same dimensions (or by the same %) as when they were first posted. Oh, and also a good job that you named them exacly the same as the images posted on this blog. Nice rip off!

12:42 PM  
Blogger Keith said...

Geeze!!! and I'm still waiting for My Pizza to get here...

It'll prolly be cold... :(

12:57 PM  
Anonymous Anonymous said...

This post has been removed by a blog administrator.

1:07 PM  
Anonymous emaN said...

Wait a second, you weren't the first to discover this anyway. A comment on your own first post links to an earlier news story on these subliminal spam e-mails.

Here it is: http://richi.co.uk/blog/2006/09/new-spammer-tactic-blipverts.html

It will be interesting to see how long my comment stays up.

2:30 PM  
Anonymous Anonymous said...

the real reason why this is done is pretty apparent if you're using google mail. instead of seeing a thumbnail of the stock description image, you instead see "one of the few animation frames, which is more likely to intrigue the viewer than a familiar stock message.

i think this is a much more reasonable conclusion than the ones you folks have jumped to. clearly it's not subliminal if it can be seen.

2:33 PM  
Blogger Fredrik said...

"It will be interesting to see how long my comment stays up."

If you want your observations to be buried, you should post them to reddit, not to John's blog.

(btw, another reason spammers are doing this might be to get around OCR-based spam detection tools. at least in my original sample, the image consists of five frames, with the actual message in the fourth frame, and a blank (but fully transparent) image as the last frame. An OCR filter that doesn't process all frames, or doesn't do a full animation, might end up OCR:ing the wrong data).

2:57 PM  
Anonymous Anonymous said...

Anonymous said...

Yeah, good job you managed to resize the images to exactly the same dimensions (or by the same %) as when they were first posted. Oh, and also a good job that you named them exacly the same as the images posted on this blog. Nice rip off!


Panda was the one who used the same images, not Softscan.

3:38 PM  
Anonymous Anonymous said...

May be Sophos forget that you are no longer a member of their Labs/TaskForce team... :))

Good job for showing us the Panda methods :)

6:38 PM  
Anonymous Anonymous said...

Maybe I've missed it in the text, but how did SoftScan find out about your article and replied so quickly, if they weren't checking your blog?

6:48 PM  
Anonymous Anonymous said...

"how did SoftScan find out about your article"

http://blogsearch.google.com/blogsearch?q=softscan&scoring=d

or something similar, most likely. There's no shortage of blog scanning services out there...

7:44 PM  
Anonymous Purple Avenger said...

First rule of IP theft: deny, deny, deny,...until a court order forces you to do otherwise.

Then, you appeal and continue doing as you please until all appeal avenues are exhausted.

9:21 PM  
Anonymous Anonymous said...

So, John, are you going to apologize?

9:26 PM  
Anonymous Anonymous said...

Bloggers can't have it both ways. When it suits them, their sites aren't journalism and don't adhere to publishing standards. They liberally take from other sites, post rumors and link to the high heavens, "reappropriating" stuff...if someone voices a concern, they hide behind "it's just personal expressions." When it does suit them, suddenly everything is a publishing issue.

10:28 PM  
Anonymous Anonymous said...

stone cold jacked

7:01 AM  
Anonymous Anonymous said...

You're lumping all bloggers into one group. You do realize that is just as bigoted as saying 'all blacks are poor gang members'? SOME bloggers whine about being real journalists... OTHER bloggers whine that they should be able to post derivative articles. Only a tiny fraction of a percent are in the hypocritical situation of whining about both.

7:49 AM  
Anonymous Anonymous said...

Agreed it sucks to break a story and have another get kudos. There should be some kind of online voodoo service you can submit links to so that the responsible parties get poked with pins. Bastards. As for those who said you didn't break the story... well you should submit their names too.

9:28 AM  
Blogger johnie1 said...

I call shenanigans!

12:35 PM  
Blogger readystate said...

hi

i just read it the information about the soft scan panda rip off my website used so very good one

11:35 AM  

Post a Comment

Links to this post:

Create a Link

<< Home